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(54) Method and apparatus for the secure distribution of encryption keys 

(57) Apparatus for transfening the encryption key in 
a secure way. to facilitate establishing a secure commu- 
nicdibn link, comprises a key management device 
attaching to each user*s encryption machine foir the pur- 
pose of key distribution, and a secure encryption 
distribution center. A key management devtee 
attached *b each user's encryption machine, containing 
a list of secure communication partners and their 
respective encryption keys. The encryptfon key and 
other parameters are transferred automatically to the 
encryption machina The called machine receives the 
caller kJentification, and the encryption key and other 
parameters are transfenred automatically The device 
displays to each user the tme, relive kientity of the 
other party If the desired addressee data is not found in 
the local data list tfie key management device connects 
a secure key distribution center. The communicafion 
with the key distribution center is protected by encryp- 
tion using the public key method. The key distrftxition 
center creates, for ea<^ user, a "ceiliffcate" whfch 
includes the user public key, user kJentification and 
issue date, all encrypted witti the center's private k^. 
The certifk^te can be used to access a nultitude of 
remote databases or other infbrmation sennces on an 
In'egular baste, without the need to subscra>e to all of 
them. It maybe also used for secure payment over inse- 
cure links using aedit cards and^or for caller kJentifica- 
tion. The certificate method is used for flexible 
authorization schemes, to indtoate changing time period 
of vaficfity or authorizations/ permits. 
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Description 

The invention relates to safe public comnuinication 
systems which indvde means for secure dtstrSxition of 
the encryption key and the communication parameters. 5 

N^'ous detnces and methods were devrised for 
secure voice and/ or data communication for public use, 
using analog or digital encryption means. Common to 
the various encryption methods is the use of an encryp- 
tion l<ey. which provides a higher level of protection io 
together with flexibility and standardization. Public key 
encryption, by using separate encryption and decryp- 
tion keys, offers better protection for encrypted mes- 
sages. 

A public key cryptographic system and mettiod was dis- is 
ck>sed in Merkle-Hellman U.S. Patent No. 4,218.582; 
the RSA (Rivest- Shamir- Adieman) encryption system 
and method was disclosed in U.S. Patent No 
4,405,^. 

Wrth the proliferation of encryption machines in 20 
commerce and for private use, a situation arises 
wherein a user desires to establish a secure communi- 
catic^ link with another user having an encryption 
machine. 

The user poses a problem: How to exchange the 2s 
encryption keys In a secure way, to establish the secure 
Ml If the key is compromised, tfien the whde commu- 
nication Is conpromtsed, and tiie encryption is useless. 
This is a vicious cirde. since a secure link is required to 
transmit the key to begin witii; but, since the other party so 
doesnl have yet tiie key. tiie secure link cant be used to 
transmit ttiek^ itself. 

Furthermore, data communication systems face tiie 
dangers of eavesdropping and impersonation, vwtti the 
assodated risks of tiie key being intercepted or a false 35 
key being transmitted by an impersonator. Accordingly, 
means are required for secure key distribution, this 
being an essential requirement for the widespread use 
of encrypiion machines, tiiat Is for establishing a secure 
linkbetween parties which had no prevk)us secure com- 40 
munications therebetween. 

The security of the encryption process depends on 
tiie security of tiie encryption key, which depends on the 
securi^ of the key distribution means; therefore, special 
means are required to provide a higher level of protec- 4s 
tion for the key distribution means itself. 

A directory of public toys could be used, but a fixed 
list cannot cope witti the fast changing sihjation in this 
area, wrtii new i^rs joining continuously, users chang- 
ing address and users changing keys for better protec- 59 
tion. 

>^rious attempts at solving tiie key dissenvnation 
problem were devised, for example PGP maintains a 
public server containing a fist of public keys. PGP sender 
accepts and maintains a fOe with a cdlection of identifi- ss 
cation packages (KeylD). Each kJentification package 
includes tiie name and details of a key hoMer, together 
witti his/her public k^, which are signed (auttienticated) 



by a tiiird party which encrypts tiie package witii his/her 
private key. 

Anottier party desiring to communicate viritti such a 
key holder searches for an identification package 
signed by someone known/ accepted tsy ttiem. tiius 
"ensuring" that that is the true key, which truly belongs 
to tiie person as claimed; tiie tiiird party is 
"known/accepted" In tiie sense timt tiie caller believes 
that its encryption key pair are as claimed and are not 
compromised. Since any single tiiird party may be 
unknown to the other party, said key holder submits a 
plurality of identification packages to tiie PGP server, 
each signed by a different third party: anottier party 
fooking for a reliable encryption key has to desiring to 
oomnunicate witii search all the packages belonging to 
tiiat key holder, until he finds one signed by a tiiird party 
known to him. 

Thus, the PGP sender maintains a file witii a collec- 
tion of klentiftoation packages for a multitude of users, 
and wftii a plurality of packages for each user. Thus it 
may be difffoult to keep tiiis vast quantity of information 
to disseminate It to users. 

Anotha' key dissemination metiiod is enployed by 
Verisign, which distributes digital "certificates" valid for 
a long time period, for example 5 years. 

A certiffoate Indudes tiie name and additional infor- 
mation for a user, togetfier with tiie public key for tiiat 
user and tiie expiry date of tiie certificate, all encrypted 
witii the private key of the issuing autiiority. Another cer- 
tificate is issued to tiiat first issuing authority by a higher 
secorKj authority, and so on. This is a Nerarchical 
auttiorization structure, with a user bringing signatures 
from persons/ entities at several levels, until a level high 
enough is reached whfoh is also part of tiie hierarchy of 
tiie calling party. 

A great effort is put into ensuring the identity of a 
user before issuing a certificate, and in keeping the cer- 
tificates; however, a certificate once Issued may be 
compromised during Its tong lifetime, in which case it is 
difffoult to replace. TTie center has no control over tiie 
use of an issued certificate while tiie certificate is still 
valid, during tiie long period as set at issue time; only 
the "black lisT at the center may give a warning to that 
effect, but tiiat can only prevent communications. A reli- 
able k^ has yet to be exchanged between the parties, 
which is difTicult in tills case. 

RSA Data Security ln& offers anottier system 
including a center which issues certificates, tiiat is dig- 
ital documents containing tiie name and details for a 
user, togettier witti his/her public key and an expiration 
date, all encrypted witti ttie private key of tiie center. 
The expiration date is a weak link for this system since, 
as the key approaches its expiry date, ttie chance of its 
bdng comprornsed increases, and more verification 
requests will be placed witti the center. 

If a key is oonpromised. it is practically impossible 
to remove it from the server; PGP and RSA only keep a 
second list (the black fist) of disabled or canceled k^. 
but this is a cumbersome and ineff ident method. 
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If the private of the RSA or other similar centers 
Is oompronrused, this resuHs In a 'catastrophe' , since 
anyone can impersonate other users. 

Another user of public key encryption is the PC 
program package offered by Microsoft for the transmis- 5 
sion of FAX messages. TTie FAX may be encrypted 
using a password or a digital key. Again, they face the 
same problem of reliable key dissemination. Microsoft 
advises to exchange diskettes containing the key. 
dearty a difficult to use method. A put>iic key can be io 
exchanged by communication means, and again there 
Is the problwn of identifying the other party- how one is 
to know that the answering party is truly the person it 
claims to be. 

Caller identif k^ation is a problem encountered in various is 
situations in the modern perkxJ of widespread use of 
global comnunicatbns and information exchange. 

It Is an object of the present Invention to provkJe an 
apparatus and method for transfening the encryptron 
key in a secure way. to fadlitate establishing a secure so 
communlcatton link, comprising a key management 
device attaching to each user's encryption machine for 
the purpose of key distribution, and a secure encryption 
key distribution center provkJing the service of secure 
encryption key dissemination to authorized users. ss 

This object is achieved by a key distribution center 
as disclosed in claim 1 and by a method as disctosed in 
daim 5. 

According to one aspect of the present invention, 
there is provided a key management derice attaching to so 
each user'^ encryption machine, containing a list of 
secure communtoatkm partners and their respective 
encryption keys and parameters. To Initiate a secure 
link session, the user keys in the kientifk:ation of the 
desired addressee; if the details of that addressee are ss 
stored In the communication partners data fist then the 
encryption key and other communication parameters 
pertaining to that person are transferred aUomat'cally 
to the encryption machine, and the secure Bnk Is estab- 
lished. 40 

Ukewise, if this machine is accessed by another 
user's device, then the other device transmits its Identi- 
fication, and again the encryptton key and other com- 
municatk)n parameters are read from the list and 
transferred automatically to the encryption machine. 4s 
A display is used to display to each user the true, relia- 
ble Wentity of other party, as established during the 
secure link setup. 

According to another aspect of the present inven- 
tk)n, if the desred addressee data Is not found in the so 
secure communicatkm partners data list then the key 
management devtoe automatically connects a secure 
key distribution center, to get the encryption k^ and 
parameters for that addressee This data is then trans- 
ferred to tiie encryplk)n machine and is also stored in ss 
the local list for future use. 

According to a third aspect d the present invention, 
the oomnuinication witti tiie key dtstn*bution center Is 
protected by encryption using the public key method. 



The encryption k^ request is transmitted to tiie center 
after encryption with the center*s pubOc key; the center 
uses its private key to identify the inquirer and the 
addressee, and then transmits the desired information 
after encryption witti the inquirer's publk; key. 

Thus, only the center knows who asked what infor- 
mation, this preventing center impersonation; only tiie 
inquirer can decrypt the answer, thus an eavesdropper 
cani use the information. FurthenTK)re, by providing 
only the public key of tiie desired addressee, a higher 
level of protection is achieved, since even if ttie key is 
compromised, the encrypted message using tiiat key is 
still protected, since the private key was not disclosed. 

According to a fourtfi aspect of the present inven- 
tion, a secure encryption key distribution center is dis- 
dosed, perfonriing ttie key distribution process as 
detailed hereinbefore, when addressed by a user's key 
distribution devica Also disdosed is a system including 
a plurality of such centers, conneded In a wkle area 
network for fast updating of key information so all the 
centers provide kientical. updated information. 

According to a fifth aspect of the present invention, 
ttie key distribution center creates a "certificate" . ttiat is 
a digital safe key/ Identification package for each user. 
The certif toate can be used in an open link transaction 
between users for ttie secure link establishment 
Each certifkate includes the public key fa a user, 
togetfier witti kientif ication information for ttiat user and 
ttie issue date, all encrypted wrtti the private key of tiie 
key distribution center. 

The algorittim is based on a public key algorittim which 
is symmetrical witti respect to ttie enayption and 
decryption keys, using package encryption witti tiie pri- 
vate (decryption) key of ttie key distributicwi center. 
Unlike ottier key distrfoution systems, in ttie present 
invention ttiere is no need to keep focal of ottier 
users keys; during ttie link setup transaction, each party 
sends its certificate to Immediately and reliably estab- 
lish its identity. 

According to a sixtti aspect of ttie present invention, 
ttie certificate can be frequentiy changed, to maintain a 
high level of security. This protects the information If ttie 
user^ key is compromised, and also provUes for easy 
recovery if the private key of ttie center itself is compro- 
mised; ttiis is a catastrophic situation for ottier systems. 

According to a seventh aspect of the present inven- 
tion, the certificate can be used to access a multitude of 
remote databases or ottier information sendees on an 
irregular basis, wittiout ttie need to subscribe to all of 
them The method invohfes the user to present a certifl- 
cate issued to him by the center, indudng an auttioriza- 
tion to access databases and an optfonal 1^ of 
permitted operations therein. 

According to an dghtti aspect off ttie present inven- 
tion, the certTicate may be used fbr secure payment 
over insecure Gnks, fbr eExample ttie Internet. The credit 
card Information is protected from unauthorized use by 
ttie seller or ttiird parties participating in Internet for 
example, by ttie indusfon of the crecfit card information 
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in the encrypted certificate, with that certificate capable 
of being decrypted only Ijy the authorized party, the 
credit card issuer for example. 

According lo an ninth aspect of the present inven- 
tion, the ciertif icate rtWY be used for caller identificaton, s 
with the subsequent communication being either 
encrypted or not Caller identification is implemented by 
the exchange of certificates as detailed. Applications 
include Caller identification be beneficial in a wide 
variety of applications, for exanple telephone and fax, 10 
celluIarAwlreless phone, computer communications, 
remote control/ base station, access control. 

According to an tenth aspect of the present inven- 
tion, the certificate allows to implement flexible auttiori- 
zation schemes, for example its time period of vaDdity is 
may be limited as desired, according to application and 
circumstances. Anotfier implementation is to im:lude a 
list of auttiorizations or actions pennitled for tfiat user to 
do. or databases to access, or permitted operations in 
those databases. so 

Thus, the present invention facilitates secure com- 
munications between users having encryption 
machines which had no previous secure communica- 
tions therel)€tween; furthermore, the invention provides 
protection for database services providers and these 2b 
services' users, by facilitating user autfientication and 
selective (encrypted) data disseminaiioa Furttiermore. 
the invention provides for renable'calior identification for 
encrypted or nonencrypled communications. 

Furttier objects, advantages and other features of so 
the present invention will become obvious to tiiose 
skilled in the art upon reading tiie cfisdosure set forth 
hereinafter. 

The invention vtnll now be described by way of 
example and witti reference to the accompanying draw- ss 
ings in which: 

Rgure 1 is a description of the overall structure of 
the enayption key distribution system 

40 

Figure 2 details tiie key management device con- 
nected to a user's encryption machine tbr analog 
communicatfons. 

Figure 3 illustrates the key management device 4S 
connected to a user's encryption machine for digital 
data communk»tions. 

Figure 4 details tiie key management devfoe struc- 
tura so 

Figure 1 illustrates an example of the overall struc- 
ture of tfie encryption key distribution system, a user 
encryption facility 1 comprises an enayption machine 
21 and a k^ management device. ss 
Encryption machine 21 includes plaintext channel 211 
to communicate witti ttie local user, and cipherteKl 
channel 212 connected to another user tiirough a 



standard communication channel 213, using wired or 
wireless communication means. 

The key management device includes key manage- 
ment controller 314 and channel interface 41 . 
The operation of tiie system components will now be 
detailed, assuming tiie initiator is facility 1 and tiie 
addressee Is user encryption facility 3. The user enters 
the details of tiie desired addressee tiirough channel 
313. which may consist of a local keypad or a link to a 
compute. 

This is the identification of the person or facility to 
establish a communication Knkwith. If tiie keys for ttiat 
addressee are found in the local list in controller 31 4, as 
detailed below witti reference to Rg. 4. ttien key setup 
channel 311 is used to transfer the encryption and 
decryption keys for ttiat addressee, togettier vntti 
optional additional parameters from key management 
device 314, to encryption machine 21, saki keys being 
subsequenfly used encryption machine 21 . 

The encryptfon and decryption keys consist of dig- 
ital bits or words in serial or parallel form, usable for 
encryption or decryption using known mettiods like DES 
or public key algorittims like the RSA mettiod. 

ff tiie keys for tiie desired addressee are not fbund 
in ttie local list, ttien key management controller 314 
automatically connects ttie secure encryption key distri- 
butfoihj center : 11 tiirough key distnTDutioh channel 103. 
and sends an irkjuiry itiessage aisking for ttie pdtAlc key 
for ttie addressee, facility 3 in tills example, ttie mes- 
sage being encrypted viritti ttie public key for center 11. 
Key distribution channel 103 Is a communication chan- 
nel used Ibr ttiat purposa 

Center 1 1 decrypts the message, verifying the Wen- 
tity of fecilrty 1 in ttie process; the answer is sent to facil- 
ity 1 . encrypted wntti ttie public key for ttiat fadlity. The 
mettiod used for facility 1 identification is detailed befow. 
see step 3b of ttie key distribution center 1 1 algorittim. 

FadGty 1 can now access facility 3, to initiate a 
mutual kf entif ication and key and parameters setting for 
a secure communication session. 
The communication patti consists of controller 314, 
tiirough date initiation channel . 312. encryption in 
machine 21. ttirough dphertext channel 212, channel 
interf^e 41. commura'catibn channel 213 connected to 
communication channel 233 at fadfity 3, to channel 
interface 43. tiirough dphertext channel 232, decryption 
in machine 23, tiirough data ir^tiation channel 332. to 
controller 334. 

setup channel 311 is used in fadlity 1 during an 
initiating procedure before ttie abovedetalled communi- 
cations, to foad ttie encryption and decryption keys 'm 
machine 21 from controller 314. 
Simifariy. channel 331 in fadlity 3 is used to load ttie 
encryption and decryption keys in machine 23 from con- 
troller 334. 

Channel Interiiace means 41 includes means for 
perfonfiing functions as required by communication 
channel 213, like phone dialing, signial level control, 
impedance loading. 
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Interface unit control 812 is used by controller 314 
to control the channel interfece means 41 , accorcfing to 
the operating mode and link establishment stage, as 
detailed below. 

Facility 3 also includes plaintext channel 231, s 
ciphertext channel 232 connected to communication 
channel 233, addressee details channel 333, Interface 
unit control 832, key distribution channel 107. 

A secure encryption key distribution center 11 is 
connected to a multitude of user encryption fadiities, io 
two of these being designated as 1. 2 in Rg. 1. 
Center 11 uses key distribution channels designated 
101. 102, 103. 104. Center 11 includes a (not shown) 
computer including a list of users with their respective 
public keys and other data: each user's phone nuntf)er is 
and address, last update date, whether a dialer/ user 
automatic idaitif ication is to be performed. The compu- 
ter also controls the various activities in the center with 
the encryption machine, the channel interface and the 
local operator. 20 

The computer also includes an interface to operator 
(not shown) for status or warnings display, control and 
manual ke^ update. 

Channel interface means (not shown) in center 11 are 
similar to channel interface means 41 in facility 1 as 25 
detailed above, including means fbr perfbnning func- 
ttons as required by communication channels 101, 
1 10... tike phone dialing, signal level control, impedance 
loading. Since center 1 1 is capable of connecting simul- 
taneously to numerous users, a channel interface hav- 30 
ing this capability Is used, as known in the art. 

Encryption machine means (not shown) in center 
1 1 are similar to that in facility 1 . Faster, more powerful 
machines may be used for higher throughput 

Facility 2 comprises encryption machine 22 and key ss 
management controller 324, with interface unit control 
822, channel interface means 42, communfoatlon chan- 
nel 223, cfata initiation channel 322. used in facility 2 to 
oommunfcate with facility 1 or any other user. Facility 2 
also Includes encryption machine 22, key management 40 
controller 324, plaintext channel 221 , ciphertext channel 
222, addressee details channel 323, key distribution 
channel 104. Channel 321 Is used to load the encryp- 
tfon and decryption k^ in machine 22, from controller 
324. ^ 

Likewise, key distribution center 1 2 is connected to 
a multitude of user encryption facilities, like fadlity 3, 
using key distribution channels designated 105, 106. 
107. 108, 109. All the centers 11. 12. ... contain the 
same list of encryption keys. so 

Inter-center finks 1 10. 1 1 1 , 1 12 are used to connect 
the key cfistributlon centers for key data updates, using 
a cfigital. secure (encrypted) fonnat 
Thus, after a user updates his/ her key with the tocal 
center, the fists in all the centers are updated automati- 6s 
cally. to provide updated information to all the system's 
users. 

Thus, the abovedetailed apparatus and method fbr 
transfenfng the encryption key allow to establish a 



secure communication link between two fadiities with 
encryption machines. 

Moreover, reliable identification of the partes to a new 
communication session can be performed, that is each 
party can ascertain the identity of the other party. The 
reliable identification can be performed between parties 
whfoh had no previous communications tfierebetween, 
the parties being strangers to each other and at st- 
rata locations, remotely located; the identification proc- 
ess uses the same data communication link as the data 
communication to be performed after the identification 



Furtiiermore. each user equipment can indude a 
key generation machine, that is a processor which 
accepts a random numt)er from the user arxj generates 
a key pair (a public key and a private key). Only ttie pub- 
lic key is transmitted to tiie center or oOienvise dis- 
pfayed; tiie private key is kept secret, inskle tiie 
machine, and is only used to decrypt or encrypt mes- 



This apparatus and mettiod allow to generate new keys 
whenever tiie user so desires, and the private key is 
securely kept. 

Additional physical key protection means can be 
used, for example tiie key generation machine is 
mounted in a cellular telephone; the user personally 
keeps tiiat telephone, thus ensuring ttiat tiie private key 
Is safe. 

Fbr tiie use of tiie invention in a cellular telephone, 
anotiier implementation Is not to Include the key pair 
generating machine in tiie telephone; the user can go to 
a cellular telephone company center to conpute ttiere 
and load new keys, for example by connecting to termi- 
nals in ttiat center. 

Another implementation uses an external key gen- 
erating machine carried by a cellular telephone repre- 
sentative. The machine has tiie processing ability 
required for key generation, but has no internal memory 
to keep the generated keys. Thus, the machine is con- 
nected to a cellular telephone, it generates the key pair 
and transfers tiie keys to tiie cellular telephone. 

Since tiie machine cannot keep tiie keys, only the 
user of ttiat cellular telephone has ttie key pair, ttius ttie 
keys cannot be compromised even by tiie telephone 
company personnel. 

This mettiod for user auttientication arxJ selective 
data dissemination can be used in finandal transac- 
tions, for example to pay witii credit cards througji inse- 
cure links, and where the payee himself msy be 
unreliable as well. An unrelfable payee cannot make 
unautfiorized use of the information in the card, since 
ttiat information Is encrypted and is not available to him/ 
her. 

The mettiod can be used to establish cellular phone 
links, while preventing an Impersonator from stealing 
phone communication rights from ttie le^'mate tele- 
phone owner. The mettiod can be used as well to pro- 
tect wireless remote contrd devices (for exanrple car 
locks or garage openers). 
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The operation of the key management device was 
described in the context of the whole secure communi- 
cation system. 

The algorithm for each of the system conponents 
will now be detailed, assuming the addressee is user s 
encryption fadlity 3 comprising an encryption machine 
23. management controller 334 and Interbce 43. 
These algorithms are executed concurrently or sequen- 
tially. 

The algorithm for connection initiating device 314 io 
comprises the following steps: 

la. D&hce 314 receives the addressee 3 details 
through channel 313 

2a. If the addressee 3 details are found in the local 75 
list, then: the encryption and decryption keys are 
transferred to machine 21 through channel 311; 
jump to step 7a (No need to contact the key distri- 
bution center 11) 

3a. The desired addressee 3 details, together with 20 
Identification details for facility 1 and a group of ran- 
dom bits, are encrypted using the public key for key 
distribution center 1 1 to form an inquiry message 
Communication channel 103 is established with 
center 11, and the encrypted Inqinry message is 25 
send to center 11 (which then performs steps Ibto 

5band7k^or1bto3band6bi7b. as detailed 
below) 

4a The answer from center 1 1 (step 5b there) is 
decrypted using the private decryption key for fadl- so 
rty 1. That answer contains the public key 16r the 
desired addressee 3 and the group of random bits 
sent to center 11; 

5a If the received group of random bits are not 
identical to the transmitted random group, then as 
jump to step 6a (Answer from impersonator); other- 
wise the answ©' is accepted as legitimate, then: the 
public key contained therein is transferred to 
machine 21 through channel 31 1, together with the 
private key for facility 1 ; update local keys list with 4o 
the key received from center 1 1 ; jurrp to st^ 7a 
6a. Display message: Failure to get public key for 
desired acMressee; Stop 

7a Prepare an initial message for fecfli^ 3. com- 
prising data kJentifying f^Oty 1 and a group of ran- 45 
dom bits, encrypted with the public key fbr fodfity 3 
8a. Use channel interfoce 41 to access fadlity 3 
through channel 213. virfiich is connected to chan- 
nel 233 at fadlity 3. Send initial encrypted message 
to facility 3 (facility 3 performs then steps 1c to 9c or 5a 
part of these steps, according to its algorithm 
detailed below) 

9a. Caller/ addressee identification: Receive mes- 
sage from fadlity 3, decrypt with the private key for 
fadlity 1. extract the group of random bits sent to ss 
facility 3 and compare with the group sent; if not 
Uentical, then jump to step 10a; othenwise: encrypt 
the received random bits generated in fadHty 3 with 



the public key for fadlity 3 and send the encrypted 
message to fadnty 3; jump to step 1 la 
10a. Display message: Addressee kJentincation 
failed; Stop 

11a. Display message indicating successful fink 
establishment; End 

The algorithm for key distribution center 11 com- 
prises the fdlowing steps: 

lb. Distribution center 11 receives encrypted 
inquiry message from facility 1 through channel 
103, together with automatic dfaler Identificatfon 
data received 

2b. The message from fadlity 1 is decrypted using 
the private decryption key for center 11. 
3b. The inquirer k^entifkation confained bfi the mes- 
sage Is compared with the automatic dialer identifi- 
cation data received. If in disagreement, then jump 
to step 6b 

4b. Compile an answer message conrprising the 
desired addressee public key and the groip of ran- 
dom bits received; encrypt using the public key for 
fadlity 1, that key being stored in the c^r 11 
database together with the other encryptfon (public) 
keys 

Send the encrypted message to fadlity 1 ; jump 
to step 7b 

6b. Display warning message: Illegitimate access 
event 

7b. Store details of transaction for optional future 
audit; End 

The algorithm for the addressed device 334 com- 
prises the fdlowing steps: 

1c. Controller 334 receives an initial message 
through channel 233. interface 43. channel 232. 
decrypted In machine 23, through data Initiation 
channel 332; this is the initial message from fadlity 
1. The message is deoypted with the private key 
for controller 334, to extract the message including 
fadlity 1 kfontiffoatfon and the random bits group; 
2c. If the details for fadlity 1 are found in the local 
Bst. then: the encryption and decryption keys are 
transferred to machine 23 through channel 331; 
jurrpt0 8tep7c; 

3c. The fadlity 1 details are encrypted using the 
puWte key for key distribution center 12. together 
with Mentification details for fadlity 3 and a group of 
random bits. Communication channel 107 is estab- 
Tfshed with center 12, and the encrypted message 
is send to center 12. similar to the ^boved^ed 
fadlity 1 inquiry of center 11; 
4c. The answer firom center 12 is decrypted using 
the private decryption k^ for facility 3. That answer 
contains the publfo key for fadlity 1 and the group of 
random bits sent to center 12; 
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5c. If the received group of random bits are Identical 
to the transmitted random group, then: the answer 
Is accepted as legitimate; the putilic key contained 
therein is transfen-ed to machine 23 through chan- 
nel 331, together with the private key for fadlily 3; 
update local Gst with the received from 
center 12;jumpto step 7c 
6c. Display message indicating failure to get public 
key for fedlityl; Stop 

7c. Caller/ addressee kientification: Compile a 
group of random ttts. add to the random bits 
received from facility 1 and encrypt using the public 
key for fadlrty 1; send the m^sage to fadllty 1 
through interface 43 and channel 233; receive the 
answer from fadlity 1, deaypl with the private key 
for fadlity 3, and compare with the Initial group sent; 
if kientlcal. then jump to step 9c 
8c. Display message: Caller identification failed; 
Stop 

9c. Display message indicating successful link 
establishment; End 

Fbr perfonrtng these algorithms and related func- 
tions, each fadlity of Initiator/ addressee can perform In 
one of the following modes of operation: 

1. Initiate dear link communications wHh another 
fadlity 

2. Initiate encrypted Gnk communications with 
another fadnty 

. 3. Accept dear link establishment with another fadl- 
Hy 

4. Accept encrypted fink establishment with another 
fad% 

5. Initiate encrypted link with key distnTxition center 
to get other's key 

6. Initiate encrypted link vwth key distribution center 
to update own key 
recording in the center's list 

7. Key update: prepare pair of keys; update both in 
k>cal lists; send only public key to center. 

8. Key input through pocaO keypad, barcode reader, 
tape reader, magnetic tape reader, vofce. another 
serial communicatfon channel like RS-232 9. Key 
input from another facility, when that fadlity 
changes its keys and sends the new pU)lk; key to Its 
known addressees (according to the k)cal k^ list 
of that fadlity 

The abovedetailed algorithms, bdng implemented 
by the key distribution channel, the communication Initi- 
ata 31 4 and the addressee 334, provWe the benefit that 
the communicatfon with the key distribution centers 1 1 . 
12 Is protected encryption using the puWk; key 
method. 

Thus, the encryption key request is transmitted to the 
center 1 1 after encryption with the center's public key, 
such that only the center 11 can decrypt the message 



using its private key. to klentify the inquirer 314 and the 
addressee 334. 

Safe communications are achieved since only after 
inquirer authentication, center 1 1 transmits the desired 
s infomiation after encryption with the inquirer 314 piibfic 
k^. 

Thus, only the center 11 knows who asked what 
information, this preventing center impersonation; only 
the Inquirer 314 can decrypt the answer, thus an eaves- 
10 dropper cani use the infomiation. 

Furthemiore. by provkiing only the public key of the 
desired addressee 334, a higher level of protection Is 
achieved, since even if the key is compromised, the 
encrypted message using that key Is still protected. 
IS since tiie private key for 334 was not disdosed. 

Additionally, a secure encryption key distribution 
center 1 1 structure and operation was disclosed for per- 
fonning the abovedefailed key distribution process. 
Rg. 1 also details a system including a plurality of 
20 such centers, detailed as 11. 12 there, connected 
through links 110. 111. 112 inawldeareanetworitfor 
fast updating of key information. 

Rg. 2 details the structure and operation of a key 
management device connected to a user^ encryption 
2s machine 21 for anafog communications. 

TTie key management device comprises controller 
314, dfaler/hTKXfem 315 and data switch 51. 
Controller 314 receives ttie details of the desired 
addressee through channel 313, and scans a list of 
30 knovm communication partners in its internal memory 
(not shown). 

If ti)e keys fbr ttie desired addressee are not found 
in the focal list, then controller 314 automatically con- 
nects ttie secure encryption key distrtoution center 
35 using dialer/rrodem 315, ttirough channel 316 and 
channel 103. 

The illustrated implementation uses a modem/dialer 
315 having two outputs. Controller 314 indudes digital 
encryption means (not shown) for secure communica- 
40 tion with the key distribution center through channel 
103. 

Dafa switch 51 connects tiie key management 
devfoe channel 31 7 to communication channel 213 dur- 
ing the secure fink seti^) stage. 
45 During the subsequent communication stage, switch 51 
connects encryption machine 21 to communfcation 
channel 213. 

Controller 314 performs the stages of the secure link 
establishment and controls the state of switch 51 
so according to ttie abovedetailed algorittims. Channels 
211. 212. 311 were already detailed, witti reference to 
Rg.1. 

Rg. 3 details the structure and operation of a key 
management device connected to a user's encryption 
ss machine 21 for digital communicationa The key man- 
agement device comprises controller 314. dialer 315A 
and data switch/ matrix 61 . 

Controller 314 receives ttie details of ttie desired 
addressee ttirough channel 313, and scans a list of 
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known communication partners in its irtemal memory 
(not shown). 

If the keys for the desired addressee are not found 
in the focal list, then controller 314 automatically con- 
nects the secure encryption key distrtoution center (not s 
shown) using cfialer 31 5A, through channels 316, 317 
and 103. This implementation uses a dialer 315A hav- 
ing one output Controller 314 uses digital encryption 
machine 21 for secure comnuinicatfon with the k^ dis- 
tribution center through channel 103, using plaintext io 
channel 311 and cfphertext channel 212. 

Data switch/ matrix 61 connects channel 212 to 
channel 103 for communication with the key distrit)ution 
center; it connects channel 212 to channel 213 during 
fhB secure link setup stage and during the sut)sequent is 
secure convnunications session. 

To estat)lish a link with the key distribution center or 
with the addressee facility, switch 61 connects dialer 
315A to channel 103 or channel 213 respectively, under 
controller 314 control. Controller 314 peribrrns the 20 
stages of the secure link establishment according to the 
abovedetalled algorithms. The operation of channels 
211, 312 was already detailed. 

Fig. 4 details another implementation of the key 
management device, for use with an analog encryption 2S 
machine without dialing capability nor digital communi- 
cations capabilities. A telephone dial line 103A is used 
both for communications with the key distribution center 
and the desired addressee. The key management 
devfoe comprises controller 314, dialer 315A, enct- 30 
pherer 318, decipherer 319 and data switch/ matrix 61. 
Controller 314 receives the details of the desired 
addressee through channel 313. 

If the k^ for the desired addressee are not found 
in the local list, then controller 314 automatically con- as 
nects the secure encryption key distrtoution center 
using dialer 315A, through channels 31 5B, 315C and 
1 03A. Controller 314 uses digital encryption means 318 
and decryption 319 for secure communlcatfon with the 
key distributfon center through channel 1 03 A. 4o 

Data switch/ matrix 61 connects channel 382 or 392 
to channel 103A for data communlcatfon with the key 
distrtoution center or the addressee; it connects channel 
103A to channel 31 5C during the dialing period. 
Data switch/ matrix 61 operation Is controlled tyy control- 45 
ler 314 through channel 341 . 

ControDer 314 performs the stages of the secure 
link establishment according to the abovedetalled algo- 
rithms. After the successful link establishment, control- 
lor 314 transfers the encryptfon and decryption keys to so 
the encryptfon machine to be used for the secure com- 
munication session, through channel 311, then sets 
switch 61 to connect dphertext channel 212 from the 
encryption machine to communication channel 103/1 
Controller 31 4 uses channels 381 and 391 to connect to 55 
encryption means 318 and decryption means 319 
respectively 

There are a wide variety of applfoatfons for the 
abovedetafled key distributfon system. 



For example, in database systems, the encryption 
protects both the database and the user; by using 
encryptfon. user authentfoatlon can be peribnmed, thus 
controlling Information distrfoution only to qualified 
users. Moreover, the encrypted information can only be 
used t)y the legitimate customer. This also protects the 
legitimate user from unjustified bills resulting from an 
impersonator using the databasa 

Various implementations of the abovedetalled sys- 
tem will become apparent to persons skilled in the art. 
For example. Rg. 1 details a system Implementation 
usir^ separate channels for key distrtoution (103) and 
for communications with another user (213); a different 
impiementatfon may use the same channel for both pur- 
poses. 

Communication channels 213. 103. may consist 
of fixed links set up for that purpose, like point to, point 
wired connections or wireless links at predefined fire- 
quendes. or of temporary finks fike phone dial oonnec- 
tfons set up spedTically for the designated functions and 
disconnected after the communfoatlon session comple- 
tion. The channels 212, 103... may then contain the tel- 
ephone exchanges, wiring, wireless components and 
multiptexers and/ or related components of the phone 
system known in the art. 

Communication channels 212, 103, may consist of 
wured and wireless links, like satellite or cellular comnui- 
nk:ations. LAN or WAN systems. 

Various algorithms implementations will occur to 
persons skilled in the art for example in case of link 
establishment failure and key obtained f^ local fist; 
then a key inquiry procedure Is initiated with center 1 1 , 
since the addressee details In the focal fist may be 
obsolete; the key from center 1 1 is compared with the 
key in the local list; if not identical, then: update local list; 
try again to establish link. 

A procedure to update encryption k^ may be peri- 
odically Initiated at each fecillty. the procedure compris- 
ing k^ pair computation, focal list update and serving 
the piibfic key to center 11 through a secure Gnk and 
usir^ a secure procedure; optionally, the new key may 
be transmitted to the known addressees as found in the 
focal list. 

In another impiementatfon of the abovedetailed 
system operation, open communications (not 
encrypted) and without self identiffoatlon. are used to 
inquire the center atxxit the desired addressee's key 
and to receive the center's response. 

The danger of impersonatfon or disinfonnatfon t>y 
the center or the addressee are minimal, since the 
center doesnl know the ideritrty of the inquirer, so no 
selective attack can be peribnfned. against a spectffo 
facHity; if a false key is given, this will only result in the 
autheitfo addressee not being able to respond; there- 
fore the handshake will fail and the communications will 
not take place, tiius preventing tiie protected data from 
bdng transmitted to an undesired destination. 

In another implementation of the present invention, 
key distrtoution center 11 creates a digital safe key/ 
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identification package, as detailed below. The method 
uses a symmetrical public key algorithm, that is either 
the encryption or the decryption key can be used for 
message encryption, with the other key being used for 
decryption. g 
A user, for exanple facility 1. inquires the center 11 
about its own (fadlity 1) public key: center 1 1 responds 
with a message including facility Vs name and k^, all 
encrypted with the private k^ of center 11. 

Now, anyone can open that message with the pub- io 
lie key of center 11. since the encryption algorithm is 
symmetrical: but it is very difficult to aeate a false mes- 
sage, since the center 1 1 's private key, which was used 
to create the message, is unknown to the public. 

Facility 1 can transmit that encrypted digital mes- is 
sage "as Is" to a desired addressee, facility 3 for exam- 
ple, to say In effect "I daim to be fadlity 1. and this is 
truly my public key, as attested by the center 1 1 which Is 
known and accepted by both of us'. Fadlity 3 opens the 
received digital message with the known center's public 20 
key, thus ensuring that the public key for facility 1 is that 
as daimed. 

In case the digital message is intercepted by an 
impersonator and sidssequently used for communica- 
tion with fadlity 3 for example, the communicatk)n hand- 2S 
shake will fell since the impersonator will not be able to 
decrypt the answer from fadlity 3. since it doesnl pos- 
sess the fadlity 1 's private key. 
Because of this added protedton, an open link (not 
encrypted) can be used by any user to askthe center 1 1 so 
about its own or any other user% publk; key; the center^ 
response, the encrypted message, can be used In an 
open link with another user to establish a secure link 
between any two users; 

With each user storing a digital message induding ss 
the encrypted center's answer regarding its own public 
key. no further communications with the center 11 are 
required nor a list of other users has to be kept, in order 
to establish secure communications therebetween: 
Each user sends to the other its own identification, the 4o 
encrypted message from center 11 containing its own 
public key: each user decrypts the received message 
with the known center's public key. and each user is 
sure that that is th e true key of the other. That publto k^ 
is then used for stteequent communications hand- 4S 
shake and data transfer. 

The encrypted response message sent from center 
1 1 may contain the response date and time, in addition 
to the key and the key user's klentifk»tion. 
That date and time may be used to ensure that an so 
updated key (not obsolete) is used. 

Advantages of the abovedetaOed method: the 
center can be accessed on an open fine (not 
encrypted), without seH identif fcation. Thte protects from 
disinfonnation by an intaider at the center. For example, es 
a fraudulent center operator or a fraudulently inserted 
routine may wait for the inquiries of a specific user, and 
respond falsely oriy to selected users which they desire 
to attacK for maximum damage and difficulty of detec- 



tion. By using open inquiries, without self identifK^ation. 
this danger is minimized. 

Various key management device implementations 
will occur to persons skilled in the art like using a DIP 
SMtch or solid state memory for the encryption k^ set- 
ting, or a link to a personal computer. Solid state mem- 
ory devk^es may include EEPROMs. flash memory, 
CMOS RAM or other device known in the art Comput- 
ing means way be used to compute new encryption 
k^ or ksy pairs for public encryption. 

A plug-in devtoe may contain the keys, which device 
may be programmed at the key distribution center, then 
inserted by the user in the key management devfce: tills 
ensures easy key updates as required, together with 
good physical protectton. For example, the plug-in 
device may be kept in a safe urhile not in usa 

Edch user equipment can indude a key generation 
machine, that is a processor whteh accepts a random 
number from the user and generates a key pair (a public 
key and a private key). Only the public key is transmitted 
to the center or otherwise displayed: the private key is 
kept secret, inside the machine, and is only used to 
decrypt or encrypt messages. This apparatus and 
method alk3w to generate new keys whenever the user 
so desires, and the private key is securely kept 

The random nurnber from the user is optional: 
where desired, an internal random numbers generator 
can be used, or a time- related number may be used to 
generate the key pair. 

The method for use of the equipment induding the 
key generating machine win now be desaibed by way of 
example. 

The method used for the initial key pair generation: 

1d. The user is given the equipment, for example 
the cellular telephone or remote contrd unit at an 
authorized dstributton center: tiie user is physically 
kfentified tiiere, for example by means of an kJenti- 
fcation card or driver license. Thus, the center is 
sure tiiat tiie equipment was delivered to the per- 
son which is supposed to receive it; 

2d. The equipment Is activated to generate an 
encryption key pair, that is a private key and a pub- 
fic k^. The private key is never displayed or trans- 
mitted, but is only kept inside the equipment The 
put^k; key is displayed arid/ or transmitted by a dig- 
ital channel to the center: 

3d. The user- related infbntiation Is registered (writ- 
ten) in memory means in the center, that Informa- 
tion induding the user Mentification details and the 
public key generated as detailed in (2d) above; and 

4d. Anyone can now askthe center what is the pub- 
Ite key off that spedf k: user, and the Inquirer will be 
given a reliable answer, that is encrypted with the 
center private key, that that indeed is the public key 
for the user as asked: the user can ask about his 
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own key, and will be given a reliable, encrypted 
answer as well. 

Another implementation of (2d) abo/e. for use in a 
cellular telephone, consists in using facilities in a cellular s 
telephone company center to compute and load new 
keys, for example by connecting to terminals in that 
center. 

Still another implementatfon of (2d) above uses an 
external key generating machine carried by a cellular w 
telephone representative. The machine has the 
processing ability required for key generation, but has 
no internal memory to keep the generated keys. Thus, 
the machine is connected to a cellular telephone, it gen- 
erates the key pair and transfers the keys to the cellular is 
telephone 

The method used for subsequent key pair update: 

la The user connects the center and identifies 
himself, that including the following steps: He/ she 20 
receives a random data btock from the center, 
encrypted with user's public key; the user decrypts 
that message with his private key and encrypts it 
back with the center's public key; the encrypted 
message is sent back to the center; the center 25 
decrypts the message with center's private key and 
verifies that indeed the received message is identi- 
cal with the transnvtted message, this being proof 
of i^*s identity; 

30 

2a The equipment is activated to generate an 
encryption key pair, that is a private key and a pub- 
Bc key. The private key is never displayed or trans- 
mitted, but is only kept inskie the equipment The 
public key is encrypted with center's public key and 35 
is transmitted by a distal communicatfon channel to 
the center: 

3a The center decrypts the message with its pri- 
vate key, thus reliably receiving the new. update 40 
user's public key; and 

4a The new, updated iser- related Infomiatfon is 
registered (written) in memory means in the center, 
that Informatfon including the user Identirication 45 
details and the public k^ generated as detailed In 
(3e)abova 

This method allows for a distributed center struc- 
ture, with small focal centers for user k^ initial setting 60 
and subsequent updata Each local center then trans- 
mits the updated pubGc k^ to the regional or woridwkle 
center. 

Another Implementatfon of (2e) above uses an 
external equpment to compute and toad ttie key pair ss 
into the celWar telephone, as detailed in connection 
with step (2d) abova 

Another variation of (2e) above would be to the user 
to encrypt the new key with thai user's oM private k^, 



then ttie center using ttie old user's pi^fo key to decrypt 
It 

Still anottier variation of (2e) would be to ttie user to 
send the new piblic key witfiout any encryption at all. 
since ttie public key is not seaet 

If ttie equipment containing the private key is lost, 
ttie system security is preserved by ttie folowing 
mettiod: The user, as soon as he detects ttie equipment 
toss, notifies the center accordingly. The center then 
records ttiat ttiat user's public key is obsolete, and any 
ottier user asking for ttiat user's public key will be noti- 
fied accordingly 

The user can load a new key pair wttile he reliably 
kfentifies WmseH, for example as detailed in method 
(Id) to (4d) above. 

An optional watchdog circuit can be attached to ttie 
private key memory meana If a predefined time limit is 
exceeded wfthout ttie equipment being used or updated 
from center, ttien it is assumed ttiat ttie equipment was 
lost, and the private and/ or public key is destroyed. 

The user equipment may include a complete mes- 
sage from center, ttiat message including (user's name; 
user's public key; expiry date or last update date) all 
encrypted witti center's private key. This allows the user 
to identify himself for safe comrnunication purposes* as 
detaned abova The user can update his puWfc key witti 
ttie center anytime he desires, for example if he sus- 
pects ttie previous key was compromised; an impostor 
having a copy of ttie old message from center will not be 
able to use ttie old copy subsequent to ttiat public key 
update. 

If unauttiorized attempts at reading ttie private key 
are detected, then the private key is destroyed as well. 
Additional physical key protection means can be used, 
for example ttie k^ generation machine is mounted in a 
cellular telephone; the user personally keeps that tele- 
phone, thus protecting tiie private key. 

This mettiod for user auttienticatfon and selective 
data dissemination can be used in financial transac- 
tions, for exanple to pay with credit cards ttirough inse- 
cure links, and where ttie payee himself may be 
unreliable as well. 

A mettiod to achieve ttiat goal is as follows, for example 
while User desires to buy an article from Seller, and to 
pay using his credit card, for example Visa: 

If. User decides on ttie article to buy arxJ finds its 
price; 

2f. User encrypts ttie infomiation (Seller details; 
article price; User aedit card number and expiry 
date) viritti ttie Visa publfo key; 
3f. User sends his/her order to Seller. IndiKling ttie 
encrypted infomiation as per (2f) togettiw witti ttie 
nonencrypted information, including ( Seller details; 
desired article details and price; User details, like 
name and address); 

4f. Seller encrypts ttie whole message as per (3f), 
including ttie dear and ttie encrypted parts, witti 
Visa's public key and sends it all to Visa; 
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51. Visa decrypts the message using its private key 

once or twice as required, verifies the integrity of 

the whole niessage and checks User's aedit and 

prepares a sales authorization message; 

6f. Visa encrypts the sales autliorization message s 

with the private Visa key a seller's pt^lic key and 

sends the message to Seller; and 

71 Seller decrypts the message with Visa put}fic key 

or his private key according to the key used at 

encryption, thus receiving a secure, provable and io 

untamperable with authorization to that sale. 

The abovedetailed method offers the following ben- 
efits: User's credit card details (card number, expiry 
date) are protected from eavesdroppers on the commu- is 
nication channel and from Seller, since these details are 
encrypted with Visa's key. which only Visa can read; 
thus, no unauthorized use of User*s card information 
can be niade. Seller cani tamper with the pnce. since 
Seller has no access to the encrypted safes price data. 20 
Sener can prove that he received Visa approval for that 
sale, since only Visa can encrypt that authorizatton 
message with Vtsa's private key. 

In another variation. User encrypts the infbmiatlon 
sent in (3f) above with Seller's public key, to ensure no 2S 
unauthorized person can read the order details at all. 
Only Seller can decrypt the Information and read it 
using his private key, thus preserving the information 
integrity on one hand, and providing proof that Seller 
received User's order on the other hand. $o 

User can save Sdler the effort to connect Visa to 
verify User's aedit as follows: User connects Visa 
befbre buying fifom SeHer. and ask for a credit verifica- 
tfon; Visa sends a package to User, including (User's 
details; credit approval and/ or credit limit; time and date ss 
stamp) all encrypted with Visa's private key; User sends 
that package to Seller; Seller opens the package with 
Visa's public key, thus accepting Visa's approval for the 
sala 

This method can be used to implement a debit or 4o 
money card, since each time a sale is authorized, Visa 
deducts the amount of that sale from that user's credit, 
until a limit is reached and no sales approvals are 
issued thereafter. 

For regular plastic credit cards, tiie Infbnnation 45 
recorded on the magnetic stripe may be encrypted as 
well, to protect tfie Information In ttie card. Encryption is 
done using Visa's public key for example. The reason is 
that the Information is passed to Visa anyway for 
approval and payment to seller, and only Visa actually so 
needs tiie Information stored in tiiat card. Itissafertiiat 
the Information In the card should not be displayed to 
seller nor be stored in seller's data storage means. 

That approval service may also be performed by an 
independent services provider, for example an Insur- ss 
ance.firm; ttiat firm can offer insurance and approval 
senrices. witti fees varying according to the updateAfer- 
ification rate: if more frequent verffications are made. 



then a lower fee may be asked for. since tine risk is 
lower. 

The mettiod can be used to establish cellular phone 
links, and to protect wireless remote control devices, for 
exanple car tocks a garage openers. For that purpose, 
tiie cellular local center (or the garage) sends an 
encrypted message to User; user decrypts it witti his 
private k^, ttius proving his identity; ttiis reliable Identi- 
fication method tfius prevents unauthaized use of cellu- 
lar telephone services by an Impersonator; similariy, a 
garage opening device or a wireless car lock system 
can be protected from unauttiorized use. 

Thus, reliable identification of the parties to a new 
oommunicata'on session can l>e performed, that is each 
party can ascertain the identity of tiie otiier party. The 
reliable identification can be perfonned between parties 
which had no previous communications tiierebetween. 
tiie parties being strangers to each ottier and at sepa- 
rate tocations. remotely located; the identification proc- 
ess uses tiie same data communication link as the data 
communication to be peribrmed after the identifrcation 
stage. The abovedetailed secure communication 
means can also be used for fax communications as 
well. 

The abovedetailed system and metiiod allow a per- 
son on the move to establish secure communications 
with another person, from anywhere to any place on ttie 

globe. 

Various data communication means can be used, fbr 
example telephone lines, radio wireless, nonoontact 
means fike ultrasound or magnetic or capacitiva Acous- 
tic couplers can be used to connect to a telephone line 
without disconnecting ttie telephone or ttie fines, but 
tiirough the telephone nik»t>phone and speaker, like 
that used in modems. 

Magnetic induction means may be used to connect 
to ttie telephone lines, for example using a ferromag- 
netic loop placed around a telephone wire; a second 
winding on tiiat ferromagnetic loop generates alterna- 
tive signals, which are induced in ttie telephone lines 
without disconnecting ttiese lines. The alternative sig- 
nals contain tiie desired infonnation to be transmitted. 

Similariy, electrical signals may be induced into a 
magnetic card reader in a way similar to that used by ttie 
credit cards; again, tiie altemative signals contain ttie 
desired information to be trahsmitted. 

The key management devk:e contains a connector 
for connecting a plug- in device containing tfie encryp- 
tion key storage means; the plug- in device contains a 
corresponding connector and a nonvolatile memory fbr 
storing tiie toy while being disconnected from ttie key 
management device. 

This allows for tiie key to be transportable, to be earned 
to tiie center for programming, or fbr being kept in a safe 
place. 

According to ttie structure and capabilities of 
encryption machine 21. machine 21 may be used to 
endpher/ decipher messages with center 11 and key 
setup messages witii faciOty 3. or additional encryption 
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means In controller 314 may be used for that purpose. 
Therefore, the key distribution device can use the 
encryption and dialing facilities of the existing encryp- 
tion machine, or these features may be Incorporated in 
the key management device. 5 

The deme may include a •CLEAR/SECURE" 
switch, which is set by the user to start controller dialing 
and secure communication establishment 

The secure communication device can include a 
display, for communication related data and tiie details io 
of the partner to the communication session. Thus, after 
secure key exchange and secure communication link 
establishment, each party can see the name and details 
of the other party; each party can thus ensure tiiat he is 
speaking with tfie desired person. is 

Various means for key distribution center 11 can be 
used, like autonf»tic dialer identification, together with 
said dialer infomiation being stored in the distribution 
center for comparison witii ttie actual reading. This fea- 
ture may be optional, to also si«)ort users which doni 20 
have this capability or where the calls pass tiirough a 
switchboard. 

A free key distribution service can be provided to 
qualified users, like tiie use of a 800 number in the 
U.S.A,. or an 1 77 number in Israel. 2s 

Suitable means are required to protect the center's 
public key. One possibility is frequent key changes, and 
public notificatioa for es^mple by proper publications 
such as BBS* or other data bases. 

Center 11 may comprise a centralized structure 3o 
witii one large computer with communication to remote 
locations, or a distributed secure network of local cent- 
ers, witfi countrywide or gIot>al total coverage. 

The noethod of operation of the center in the 
present invention will now be detailed in comparison as 
with existing key dissemination cerrters. 

PGP key management: PGP maintains a public 
server containing a list of public keys. PGP server 
accepts and maintains a file with a collection of identifi- 
cation packages (K^ID). Each kJentification package K 4o 
includes the name and details of a key holder A. 
together with his/her public key. which are signed 
(authenticated) by a third party B which encrypts the 
package witt) his/her private k^. 

Anotiier party C desiring to communicate with a 45 
hoWer A searches for an identiffoation package K 
signed by someone known/ accepted by them, ttius 
"ensuring" that that is the true key. which truly belongs 
to the person as claimed; the third party is 
"known/accepted" in the sense that B befieves that its 50 
encryption key pair are as claimed and are not compro- 
mised. 

Since ary single third party B may be unknown to 
the other party C. key holder A submits a plurality of 
identiffcation packages Ki. each signed by a different ss 
third party Bi; anottier party C desiring to communicate 
with B searches all the packages Ki belonging to A. until 
he finds one signed by a third party Bi known to him. Bj 
is the "common acquaintance" to A and C. 



Thus, ttie PGP server maintains a file with a collection 
of identification packages for a multitude of users, and 
with a plurality of packages for each user. Thus it may 
be difficult to keep this vast quantity of information to 
disseminate it to users. 

Anottier key dissemination metiiod is employed by 
Verisign, which distributes digital "certificates" valid for 
a long time period (for example 5 years). A certiffoate 
indudes tiie name and additional infomiation for a user, 
togetiier witfi the public key for tiiat user and the expiry 
date of the certificate, all encrypted with ttie private key 
of the issuing autiiority. 

Anottier certificate is issued to that first ^ing autiiority 
by a higher second auttiority, that certiffoate including 
tiie public key and additional infbrmation for that first 
issuing authority, and so on. 

This is a hierarchical authorization structure, witii 
user A bringing signatures from persons/ entities Bi at 
several le/els, until a level tiigh enough is reached 
which Is also part of tiie hierarchy of C, thus establishing 
the key transf^ whfoh is auttiorized by the common 
accepted third party. 

A great effort is put into ensuring ttie identity of a 
user before issuing a certificate, and in keeping ttie cer- 
tificates; however, a certificate once issued may be 
oon^promised during its tong lifetime, in which case it is 
diff KuH to replace it; ttie ottier party may not known that 
ttie key is compromised, and may not ask ttie center 
about the validity of the certif toate (since it is wittiin ttie 
validity period). 

The center has no control over the use of an Issued 
certificate while ttie certificate is still valid, during ttie 
fong period as set at issue time; only the "black list" at 
ttie center may give a warning to ttiat effect but ttiat can 
only prevent communications. A reliable key has yet to 
be exchanged between ttie parties, whk;h is difficult in 
this case. 

Users of ttiis system are encouraged to keep a focal list 
of certificates, but tills does not solve the abovemen- 
tioned problems, ahhough it may reduce ttie workload 
on the center. 

The center in our Invention, however, contains a 
single package for each user for any specific key; the 
same user may maintain several keys, for different uses 
or levels of security or under different pseudonyms or to 
be assigned each to a specif fo person hoMIng a specHfo 
position. 

This key management mettiod is beneficial in situations 
where a person changes position in a firm; the new per- 
son in ttie job will not be ak>le to read maH addressed to 
ttie previous person, since the new person wfll be given 
a new key pair. POP senw and ttie ottier carters can- 
not cope with such a sitiation in an easy manner. 

In tiie present invention, the center checks the 
validity of ttie identification package by identifying ttie 
user, for example by his/her holding a vaiki credit card 
and/or calling from a specific focation or phone number. 
This is a lower level of security, implemented by less 
severe user kfentification than tiie ottier mettiods, witti 
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the express purpose of providing an easily accessibie 
arKl usable method of key dissemination for the com- 
mon people; this level of security, however, is main- 
tained an the time with the presented method of easy 
issue of updated certificates at frequent times; thus, the 5 
present method is overall more secure than other meth- 
ods, and rt also more easier to use. 

If required, a subset of the certificates may include 
a higher level of security, based on more stringent user 
identification tor example. This can easily be integrated 10 
in the present invention. But for widespread use. even 
users in that more secure subset are Okely to use certif- 
icates issued at the lower level, to communicate with the 
m^'ority of the users. 

The center issues a certificate which is a digital file/ is 
document containing the name/|pseudonym and details 
for a user, together with his/her public key and the issue 
date, all encrypted with the private key of the center. 
The center ensures there are no duplicate user 
names^eudonyms; new names can be added with rel- so 
ative ease, but to change an existing name the center 
has to approve the transaction, thus achievmg better 
user key protection. 

To ensure key validity in VeriSign, each package 
includes an expiration date. Each key is intended to be £ff 
used for the whole perfod as planned, for example one 
year or two or five years. This is a weak link for other 
systems as well, for example RSA. As the key 
approaches Its expiry date, the chance of Its being com- 
promised irweases, and more verification requests win so 
be placed with the center. 

In our invention, however, the method Is such that the 
kientiricatton package includes the issuing date, such 
that any other party can estimate the validity and relia- 
bility of the key therein. Any key iqDdate results in a new ss 
updated package, which is available to all. 

PGP does not manage the key information, for 
example by checking the valklrty of the Infbrmation or by 
preventing name duplications. 

If a is conpromised, it is practically impossible 40 
to remove it from the server; PGP and RSA only keep a 
second list (the black list) of disabled or canceled keys, 
and users are advised to check that list to ensure key 
rer^bility 

A compromised key cannot be reliably removed since, 4S 
although that can be physicaily deleted, the PGP 
sender cannot prevent a package containing the same 
key from being reloaded by anyone; since an unknown 
nuTT^ of i^ers may hoti copies of the signed package 

with that 1^. any one of them may refoad the key into so 
the PGP server. 

This has the disadvantage that the second list (the 
black list) will be under severe overload stress, since 
any user receiving a package near the expiry date will 
presumably want to check it for validity; any other user 55 
desiring to communicate sensitive information will prob- 
ably desire to check the k^ as wen. 

In our center, however, there is no second, "black- 
list but only a reliable list of certificate& The owner of a 



key may ipdate it at any time, so a compromised key 
vw» not have severe r^dercussions- the user just 
changes it and receives an updated certificate with a 
new date embedded therein. The user presents that 
certificate to other parties to establish secure communi- 
cation therewith. There is no need to keep lists of certif- 
foates or keys, since an updated key is presented by the 
other party with each new communication transaction. 
All Is needed Is an updated public key of the center sup- 
porting these transactions, to use in checking the pre- 
sented certificates. 

The other party to a commurncation transaction can 
always diose to check the key by accessing ttie center; 
the center issues updated certificates to anyone, attest- 
ing to the valkfity of the key for any desired user. There 
is no need to read a t^ack list and therefore there Is less 
toad on the center. 

The user, while establishing an account with the 
cerrter, is given a "cancellation code", that is an klentif i- 
cation code for key changes or cancellation purposes. 
Only change request ttius authorized will be honored, to 
prevent the files from unauthorized changes. 

If the private key of the RSA or otiier simitar centers 
is conpromlsed, this results in a "catastrophe" accoitl- 
ing to tiieir explanation, since anyone can impersonate 
other users. This Is a "total loss" situation. All existing 
keys and identification packages must l)e updated, each 
with its multiple approvals. 

in our invention center, however, if the private key of 
the center is compromised, ttien a user shouU not 
accept an old certificate whfoh may be affected by that 
key, but should ask for a new certificate or access ttie 
center for an updated, reliable certificate. Thus it is eas- 
ier to recover from an occunence of a compromised key 
of the center. Even if someone succeeds in finding the 
private key of the center, they still cannot impersonate 
ttie center, that is they cannot answer phone calls 
placed with the center. Any user suspecting a certificate 
presented to him has tiie option of calling the center to 
get a reliable, updated version of the certificate which 
cannot be tampered with. Thus, the physical phone con- 
nections of tile center provMe a still higher level of secu- 
rity protection in our invention. 

The key distribution center in our invention fonc- 
tions like a phone information senrice, that is service 1- 
411 in tile U.S., or 144 in Israel. It provides an updated 
certificate including the user identification and his public 
key to anyone, that is to any anonymous caller. 
Unlike the phone information sendee, however, the key 
distribution center in the present invention aifows for flre- 
quent changes in the certificates issued. 

In PGP, people are encouraged to keep local lists 
virfth keys for desired conespondents; ttiis is especially 
important since keys are to be.authorized by tiiiixi par- 
ties: ffi RSA. certificates are issued for a fong period of 
use. 

ISto such local keys lists are needed in the center in our 
invention, since the center hokJs the most recentiy 
i^xiated key for each user, available to all; each user 



13 



25 



EP0738058A2 



26 



can hoki a certificate for himself, witfi a recent 
autfiorizatioa to be presented to anoth^ part/ as 
required. 

Anotlier user of public l«y encrypb'on is the PC Fax 
program padoge offered by fi/licrosoft under Windows, s 
This package facilitates the transmission of FAX mes- 
sages which may be optionally encrypted. The FAX may 
be encrypted using a password or a digital key, which 
are conceptually the same. It uses a public ke^ and a 
private k^. under the "Fax Security/Advance Security" 10 
menu. 

Again/they face the same problem of reliable key 
dissemination. Miaosoft advises to exchange diskettes 
containing the key. clearly a difficult to use method. 

A public key can be exchanged by communication is 
means, and again there is the problem of klentifying the 
other party- how one is to know that the answering party 
is truly the person it claims to ba This lack of a practical 
solution attests to the need which is fOled with the 
present invention, of reliable key managentent and dis- 20 
semination using reliable certificates including the pub- 
lic key and infbonatton for each user. 
In the method descn*bed in the present invention, the 
problem faced by Microsoft is easily solved: Each party 
serds its certificate to the other, and a secure link Is 2s 
immediately estaUished. The certificate exchange 
method can be easily integrated in the fax comnunica- 
tion program provkted by Microsoft This is an Indication 
of the nonobvtousness of the present invention, which 
addresses a hitherto unsolved problem. 30 

Another use of the present method of k^ dissemi- 
nation is to access remote databases or other infomia- 
tion services on an irregular basis. With the proliferation 
of remote infonnation services, it is practicaiiy impossi- 
ble for any single user to subscribe to all of thenv 3s 
The subscription is necessary for the service provider to 
charge the user for the service as provided. 
It may be difficult or not economic for the Information 
provklers as well to handle a multitude of users, each 
using the database to only a small extent. 40 
Usually the information is accessed from a remote site 
through data communteation links like the Intemet 

In this application, the key management center acts 
as a user authorization party, by assigning to interested 
users a certificate which enables them to access a mul- 4s 
titude of databases. 

The method includes the folkiwing steps: 

1g. The key management center signs agreements 
with a multitude of information providers, for the ^ 
providers to ^ept inregular users which are 
authorized by the center as attested by presenting 
a digital certificate issued by the center, and to 
charge the center for the sendees provkJed; 

65 

2g. the center accepts and authorizes users to use 
the information services it has business relatkms 
with, including the steps d: 



A. a user accesses the center from a remote 
site; 

B. (optkmal) the user downloads from the 
center a software package to generate an 
encryption key pair and maybe a communica- 
tion routine for subsequent communication with 
the center; 

C. the user identifies himself/herself, for exam- 
ple by provkling a name or pseudonym, and a 
credit card number, virttich may be encrypted 
using the center's putrfk; key or the key pair 
generated in (B) above; 

D. the center checks the validity of the credit 
card; and 

E. if the credit card is valkl. then the user is 
Issued a certif foate which Includes the infonna- 
tion supplied by the user and additional 
optional information like the issue date and 
center details, ail encrypted with the private key 
of the center: and 

3g. ttie user thus auttiorized accesses the desired 
remote services, presents the certificate and is 
accepted as a user of that service. 

Ottier en^iments of the abovedetailed method 
are possfole, for example in (C) above the user may pro- 
vide not the explicit credit card number but an encrypted 
package containing tiiat number, for example encrypted 
with tiie public key of the credit card issuer; then in (D) 
the center sends that package to ttie card Issuer which 
opens it using its private key and issues a transaction 
authorlzatfon to the center, while the center has no copy 
of the crecfit card rtself. This method may prevent tiie 
card number being misused or getting into tiie wrong 
hands. 

The software package sent to a user in step 2g(B) 
above mayl>e Itself encrypted with ttie private key of ttie 
center, to protect from tampering witti ttiat software 
which is an Important constituent of the abovedetailed 
mettiod. since ttie encryption key has to be generated 
by a secure method. 

The servfoe provider may charge directiy the user 
for ttie sennce as provided, using ttie credit card 
number if included in ttie certiffoate. or It ma/ charge ttie 
center whfoh issued ttie certificate, which in turn may 
charge ttie end users. 

Anottier application of ttie mettiod detailed above is 
caller kJentifrcation, witti the subsequent communication 
bang eittier encrypted or not Caller Wentificatfon is 
implemented by the exchange of certificates as detailed 
above. 

Caller identification may be beneficial in a wkJe vari- 
ety of applications, for example telephone, fax. cellu- 
larMireless phone, computer communications, remote 
control/ base station, access control. Present caller 
kientification mettiods may identify a phone number 
belonging to a firm or organization, but ttiere is no kJen- 
tification of a specric user or telephone wHhIn ttiat 
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organization. This problem is solved with the present 
invention. 

The user's encryption machine may include display 
means for dsplaying the other user Identification infor- 
mation which Is included in the received certificate. This s 
may include the real user's name or a nidviame or a 
pseudonym, together with a company name and that 
person's position. This provides for easy and r^lMe 
identiftcation of the parties Involved in a remote commu- 
nication transaction. to 

Since the certificate includes the issue date, its 
validity may be limited as desired, according to.applica- 
tlon and circumstances. I^or example, access control to 
a parking lot m^ be pennitted with a monthly permit in 
one season, whereas a weeMy permit may be required is 
in another season. 

These flexible time limits can be easily enforced with 
present computer technology implementing the method 
detailed in the present invention. 

The certificates issued according to the present 20 
Invention may optionally include a list of auUiorizations 
or actions pemiitled for tiiat user to da or databases to 
access, or pennitted operations in those databases. 
The auttiorizations may be based on the user track 
record or e)$erience or credit rating or security/ klentif i- ss 
catim level. 

This offers the benefit that each user is given access to 
facilities or is allowed to perform operations witiiout tfie 
need to recheck ttieir authorization each time th^ 
access ttiesystm. go 

Claims 



A center (1 1) for safe key distribution to authorized 
and/or unauthorized users (1,2.3). to fodlitate 
establishing a safe communicatfon link, Including: 

(A) Computer means for storing a list of sakJ 
users and their respective encryption keys, for 
retrieving data from and updating said list, for 
preparing digital messages for said users and 
for performing related control functions, 
according to predefined procedures and 
received digital messages from said users; and 

(B) Channel interface means for connecting 
said computer means In said center to said 
users through a communication channel to 
receive and transmit said digital messages with 
said users. 

A center for safe key distribution as claimed in 
Qaim 1, wherdn each of said digital messages 
Includes information iderrtifying one of said users 
(1,2,3) and its corresponding sakJ encryption key, 
an encrypted with tfie private key of said center 
accordirig to a pubfic key encryption algorithm, vwth 
the other key being made pubGc and known to said 
users and/6r to the puUia 
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3. A center for safe key distribution as claimed In 
Claim 2. wherein each of saM digital messages fur- 
titer includes information relating to the time of 
issue of said messaga 

4. A center for safe key distribution as claimed In 
Claim 2, wherein each of said digital messages fur- 
ttier includes information relating to the authoriza- 
tion of said user to peribrm specific actions or 
operatfons. 

5. A method fbr focllltating occasional users to access 
a multitude of remote databases or ottier informa- 
tion services on an irregular basis witii tiie support 
of an authorization center, Including the steps of : 

(A) The key management center signs agree- 
ments with a multitude of Infomiation and/or 
services providers, for saki provklers to accept 
in-egular users whk;h are autiiorized by said 
center as attested by presenting a digital certif- 
icate issued by said c^er. and to charge sakJ 
center for the said infamation/servlces pro- 
vkJed; 

(B) said center accepts and authorizes said 
users to use the information services it has 
business relations witti. including ttie steps of: 

(1) a user accesses the center from a 
remote site; 

(2) the user identifies himselt/herself, fbr 
example by provkiing a name or pseudo- 
nym, and a Credit card number, which may 
be encrypted using ttie center's public key; 

(3) the center checks the validity of the 
credit card; and 

(4) if the credit card Is valid, ttien tiie user 
Is issued a certificate which includes the 
Information supplied by the user and addi- 
tional optional Information like tiie issue 
date and center details, all encrypted wHh 
the private key of the center; and 

(C) the user thus autiiorized accesses the 
desired remote services, presents the certifi- 
cate and is accepted as a user of tiiat sendee. 



6. A method for facilitating occasfonal users to access 
so a multitude of remote databases or other informa- 
tion services as claimed in Claim 5, further Includ- 
ing the steps: 

(la) (after step 1) ttie user downloads from ttie 
ss center a software package to generate an 

encryption key pair and maybe a communica- 
tion routine fbr subsequent communication wHh 
the center; and 
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(4) (to replace step 4 above) if the credit card is 
valid, then the user Is Issued a certificate which 
Includes the Infbrmatioh supplied 1:^ the user 
and additional optional information like the 
issue date and center details, all encrypted 5 
with the private key generated in step (la) 
abova 

7. A key nmnagement device attaching to each one of 
a plurality of user's (1) encryption machines (21) for 10 
the purpose of public key distribution, and includ- 
ing: 

(A) Oiannel interface means (41) lor connect- 
ing with another user (2) or a 1^ distrtoutlon is 
center (11) through a communication channel 
(103). to transmit and^r receive digital mes- 
sages containing Information kientifying saki 
user and sakJ public key for saki user; and 

(B) Key management controller means (314) 20 
for accepting the desired addressee or Initiator 
details, for obtaining sakI key from sakJ center 
tiirough said channel interface, and for transfer- 
ring sakJ key to sakJ encryption 
machine.onnected to sakJ channel interface 25 
and to saki encryption machine. 

a A key management device as claimed in Claim 7, 
further including display means for displaying the 
other user ktentif fcation information included in the 3o 
received certifteate. sM kientifkation infonnation 
Including the real user's name or a nickname or a 
pseudonym and/or a company name and/or saki 
user^ position in saki company. 
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